On Wed, Jul 27, 2022 at 7:50 AM Wiwwo Staff <wiwwo@wiwwo.com> wrote:
Since changing ph_hda.conf file to give users access involves the restart of server, many companies I work(ed) use a bastion host, where users ssh to, and are allowed "somehow" use postgresql.
Still, those users need some login shell.
No, they don't need login shells. You can set up an SSH tunnel to the bastion server on the user's system that in turn sets up a tunnel to the database server on the bastion server.
Something like this:
ssh -f -N user@bastion -L XXXX:dbserver:YYYY
So when the user connects to port XXXX on the local server it tunnels through to port YYYY on the dbserver through the bastion server.
This way you can limit who has access to the bastion server, and you can set the PostgreSQL server to accept (only) the IP address of the bastion server. We use this to access a database on an RDS server at AWS from a server at a different data center.
